Hello Everyone,
In this series, we will start discussing how customers can utilize Azure AD to protect their environment, Azure AD offering a lot of security features that can be utilized, hence with the time we will keep listing our customer challenges and how Azure AD can help to solve them.
In this article I will be discussing a very interesting topic where we see a lot of confusion when customers are looking to implement a solution to protect their exchange on-premises environment with Azure MFA.
Current traditional Exchange deployment allows the users to access their mailboxes using their traditional credentials (Username and password), in such deployment if any bad guys were able to know these credentials then it will be very easy for them to access the customer data. This raises a big concern regards the security, how we can prevent such unauthorized access to the data even if the credentials where stolen using any kind of attacks.
Security is a big trend these days, Azure Multi-factor authentication (MFA) is one of the Microsoft security solutions which can be used as a second layer of authentication, the simple idea of MFA is to prevent an attacker from gaining access even if they manage to learn the user’s password. It is useless without having possession of the additional authentication method. It works by requiring two or more of the following authentication methods:
· Something you know (typically a password)
· Something you have (a trusted device that is not easily duplicated, like a phone)
· Something you are (biometrics)
Multi -Factor Authentication can be used in multiple scenarios, each scenario needs specific implementation that can help to protect on-premises environment, typically in this article we will focus on Exchange on-premises where customers still not using Exchange online.
Azure offering a lot of ways to protect Exchange components, each scenario has pros and cons, in this article we will go through all options that we currently have.
This article will focus in two main components, OWA Authentication access and Outlook for windows MAC and Outlook for mobile Access since there are the two major ways for end users to access their mailboxes.
Note: anything applied in OWA will be by default applied to EAC access, in below article we only focusing in OWA, this is also applied for EAC by default without mention it explicitly.
MS Exchange published over Azure APP proxy:
Azure Application proxy is new way to publish your web-based application over internet securely. Application Proxy doesn’t require you to open inbound connections through your firewall which make it very secure to publish your on-premises applications in a very secure manner including Exchange OWA.
In this way, the authentication request will be start with Azure Active directory, which simply means that most of Azure security features can be applied to this kind of access such as conditional access and MFA.
As a quick overview of this flow:
- User A is trying to access OWA to get in his mailbox
- since OWA is published through Azure APP Proxy, the user will be redirected to Azure AD sign in page.
- User A will be asked to enter his credentials, if validating the credentials (Managed vs Federated domains) the user will be authenticated at this stage.
- Azure AD will evaluate all policies configured by admin, such as MFA, Conditional access controls … etc. User A should pass all security challenges.
- If the user passed all challenges, Azure AD will issue a toked to the user client device.
- User will take the token and send it to App Proxy service which will complete the flow of AuthN and AuthZ to have access to user mailbox through OWA.
- If user A failed to pass any required security challenges, user will not be able to access his mailbox.
We highly recommend starting using this deployment.
More info about Azure APP proxy can be found here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
Below is the typical flow architecture, again since the Request is going through Azure AD (Step 2), this clearly means that you can enable and Azure AD security feature like MFA or conditional access:
MS Exchange with hybrid modern authentication (HMA) mode
This is a new feature announced by MS exchange team recently, the idea in this solution is to forward the Exchange Authentication traffic to Azure AD, this is only applying to outlook and outlook in mobile traffic NOT OWA.
the steps taken during configuring Modern authentication result in evoSTS (a Security Token Service used by Azure AD) being set as Auth Server for Exchange server on-premises, in simple words, traffic will be routed to Azure AD, hence we can take advantage of azure AD security features like MFA and conditional access.
Some simple commands to be run on exchange servers can do the whole the magic and redirect the traffic to Azure AD, no major changes required.
This deployment working with Exchange 2013,2019 and 2019 with specific cumulative updates required, Skype for business can work under this model also even it’s not our main topic here.
It’s recommended to start using this approach.
More technical info can be found here: https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview
Below diagram show the typical flow, noting that this model works with Federated and managed domain, below flow show the federated scenario as an example, since again the flow will go through Azure AD, this give the ability to apply any Azure AD security features like MFA or Conditional access.
MS Exchange published over AD FS:
This a very traditional deployment, where customers already have AD FS in-place and they already published OWA through AD FS.
In addition to some built in security controls over AD FS itself like device registration, MFA is a valid option here, AD FS can support two types of MFA based on its version, Either to integrate AD FS directly with on-premises MFA server as secondary authentication if it’s already exist or with Azure MFA directly as Primary or secondary Authentication. Azure MFA only supported with AD FS 2016 and later versions.
We don’t recommend customers to deploy this solution as a new deployment due to below challenges that I will list later this article.
As a quick overview about the flow, we can summarize it as below:
- User A will try to access OWA.
- User A will be redirected to AD FS Authentication Page, to enter his credentials if MFA used as secondary Authentication.
- Once the user entered a correct username and password, based on the configuration user will be asked to pass the MFA challenge.
- Once user passed the MFA challenge, user will be able to access his mailbox.
- If MFA used as Primary Auth then user will be asked for MFA as primary Authentication.
Additional info about the technical deployment can be found here: https://docs.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019
MS Exchange with MFA server on-premises:
This is an old way to protect the Exchange OWA, OWA built based on IIS, MFA on-premises server can be used to secure the IIS Authentication.
Currently, as we are moving away from MFA on premises server as mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy
Also, this method requires installing the MFA server itself on each Exchange CAS server to secure the virtual directories for the OWA IIS.
Since we are moving away from this type of deployment, we don’t recommend using it at all, our recommendation also that if customer currently use it, is to move away from this deployment.
Now, each one of above solutions can be used in specific scenarios, for that lets summarize when we can use each scenario, to make it easier let’s use a tabular format for comparing:
| Scenario Name | OWA Protection | Outlook Protection | Network changes Required | Complexity of deployment | Users Sync Requirements | Other security features that can be utilized | Our Recommendations level |
| MS Exchange published over Azure APP proxy | YES | NO | No major changes required specially that APP Proxy does not require any inbound ports to be opened. | A very light on-premises deployment can achieve this, not much complex. | Yes, users should be synced through AD Connect to Azure AD. | YES | High |
| MS Exchange with MFA server on-premises | NO | YES | No, it does require some changes on Exchange side and allow Exchange to reach Azure AD to pass the traffic | No deployment required, just change the configuration in Exchange side. * | Yes, users should be synced through AD Connect to Azure AD. | YES | High |
| MS Exchange published over AD FS | YES | NO | No, with existing environment. | Very complex for new deployments. ** | Depends on which MFA deployment is used. *** | NO, only MFA | LOW |
| MS Exchange with MFA server on-premises | Yes | NO | – | Very complex deployment | No | No, only MFA | NOT recommended |
* Unless current Exchange environment version not matching the minimum requirement for this deployment, hence Exchange Upgrade may require: https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview
** AD FS is hard to manage, need lot of efforts and expertise, in addition that the high availability of this deployment requires a huge resources which is very costly.
*** in this deployment AD FS can user MFA server which does not require the users to be synced to Azure AD, also it can use Azure MFA directly which require users to be synced to Azure AD.
GO DO’s:
Looking to all above scenarios, we can clearly see that there is no single solution to protect all Exchange traffic (Outlook, OWA, Mobile) using Azure AD by utilizing its security features.
Hence, customers who are planning to completely secure ALL their Exchange on-premises traffic need to choose multiple deployments from above options.
For example, customers can use one of three main deployments to protect all exchange traffics as below options:
- App Proxy to Protect OWA + HMA mode to protect outlook traffic.
- AD FS (if the deployment already exists) to protect OWA + HMA mode for outlook traffic.
- Move totally to exchange online and enjoy all Azure AD features.
All above explanation should help our customers to take the best decision to protect their Exchange environment, keeping in mind that also the licensing part may play role here to take the decision. We recommend starting these kinds of deployment as mentioned above with our recommendations to avoid any unauthorized access to your company data.
Hope this article make it clearer now to our customers to start implementing Azure MFA to secure their data, please feel free to leave a question through comments if you need any more clarifications, I will be very happy to answer it and help you move forward.
Ahmad Yasin is a Technical Adviser at Microsoft in Azure identity Team and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions, office 365, Azure Security Specialist.
